Good point Chris.. From someone that had to write "escape" code before (messy).. I think this is definitly something that JDBC developers should have put in. :P I wonder if JDBC 3.0 offers that kind of functionality? -Tim
-----Original Message----- From: Chris Tucker [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 15, 2001 1:33 PM To: [EMAIL PROTECTED] Subject: Re: Login Authentication against database... Tim, Simply making sure you escape any single-quotes in your input string to single-quote single-quote will fix the problem. But I feel that JDBC should have some "official" way of doing this for you (seeing as how Java Strings are fixed length, buggering about with replacing one character with two others is inefficient and a little awkward). Just to demonstrate the point, Bob's loophole would then result in a query of: "select * from username='x'' or 1=1 --' and password='x'" which will simple check to see if the username is "x' or 1=1 --" and the password is "x" -- clearly, unless you have a user with that name and password, this query will not succeed. Chris -----Original Message----- From: A mailing list about Java Server Pages specification and reference [mailto:[EMAIL PROTECTED]]On Behalf Of Chen, Gin Sent: Thursday, November 15, 2001 10:21 AM To: [EMAIL PROTECTED] Subject: Re: Login Authentication against database... I mean now behind .. :-P -----Original Message----- From: Chen, Gin [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 15, 2001 1:20 PM To: [EMAIL PROTECTED] Subject: Re: Login Authentication against database... Thats interesting. I didnt realize that he meant it as a single string value. Actually what you mean is that the query would be "select * from username='x' or 1=1 --' and password='x'" Notice that the extra ' that gave me an error before is not behind the comment marker Nice Catch Bob. Now what security measure do you suggest? -Tim -----Original Message----- From: David Nguyen [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 15, 2001 12:53 PM To: [EMAIL PROTECTED] Subject: Re: Login Authentication against database... Interesting. Actually what he wanted to point out is a possible loophole in the auhentication method discussed. I can imagine if this query is launched: "select * from username='anybody' or 1=1 -- and password='tiger'" then anybody can access the application (since the -- would make the password irrelevant. With Bob's parameter, the query would be "select * from username='anybody'' or 1=1' -- and password='tiger'" here the string anybody is 'anybody" or 1=1' (I didn't try though) david -----Original Message----- From: A mailing list about Java Server Pages specification and reference [mailto:[EMAIL PROTECTED]]On Behalf Of Joe Cheng Sent: Thursday, November 15, 2001 9:33 AM To: [EMAIL PROTECTED] Subject: Re: Login Authentication against database... Celeste, what's a "more secure" means? now you've got me curious. and Bob wasn't pointing out a loophole, just calling attention to the non-escaped values in the SQL statement below. -jmc =========================================================================== To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant FAQs on JSP/Servlets can be found at: http://archives.java.sun.com/jsp-interest.html http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.jsp http://www.jguru.com/faq/index.jsp http://www.jspinsider.com =========================================================================== To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant FAQs on JSP/Servlets can be found at: http://archives.java.sun.com/jsp-interest.html http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.jsp http://www.jguru.com/faq/index.jsp http://www.jspinsider.com =========================================================================== To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant FAQs on JSP/Servlets can be found at: http://archives.java.sun.com/jsp-interest.html http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.jsp http://www.jguru.com/faq/index.jsp http://www.jspinsider.com =========================================================================== To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant FAQs on JSP/Servlets can be found at: http://archives.java.sun.com/jsp-interest.html http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.jsp http://www.jguru.com/faq/index.jsp http://www.jspinsider.com =========================================================================== To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant FAQs on JSP/Servlets can be found at: http://archives.java.sun.com/jsp-interest.html http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.jsp http://www.jguru.com/faq/index.jsp http://www.jspinsider.com =========================================================================== To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant FAQs on JSP/Servlets can be found at: http://archives.java.sun.com/jsp-interest.html http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.jsp http://www.jguru.com/faq/index.jsp http://www.jspinsider.com
